#define KRB5_DB_LOCKMODE_DONTBLOCK 0x0004
#define KRB5_DB_LOCKMODE_PERMANENT 0x0008
-/* db_invoke methods */
-#define KRB5_KDB_METHOD_CHECK_ALLOWED_TO_DELEGATE 0x00000080
-
-typedef struct _kdb_check_allowed_to_delegate_req {
- krb5_magic magic;
- const krb5_db_entry *server;
- krb5_const_principal proxy;
- krb5_const_principal client;
-} kdb_check_allowed_to_delegate_req;
-
/* libkdb.spec */
krb5_error_code krb5_db_setup_lib_handle(krb5_context kcontext);
krb5_error_code krb5_db_open( krb5_context kcontext, char **db_args, int mode );
void krb5_db_refresh_config(krb5_context kcontext);
-krb5_error_code krb5_db_invoke ( krb5_context kcontext,
- unsigned int method,
- const krb5_data *req,
- krb5_data *rep );
+krb5_error_code krb5_db_check_allowed_to_delegate(krb5_context kcontext,
+ krb5_const_principal client,
+ const krb5_db_entry *server,
+ krb5_const_principal proxy);
/* default functions. Should not be directly called */
/*
void (*refresh_config)(krb5_context kcontext);
/*
- * Optional: Perform an operation on input data req with output stored in
- * rep. Return KRB5_PLUGIN_OP_NOTSUPP if the module does not implement the
- * method. Defined methods are:
- *
- * KRB5_KDB_METHOD_CHECK_ALLOWED_TO_DELEGATE: req contains a
- * kdb_check_allowed_to_delegate_req structure. Perform a policy check
- * on server being allowed to obtain tickets from client to proxy.
- * (Note that proxy is the target of the delegation, not the delegating
- * service; the term "proxy" is from the viewpoint of the delegating
- * service asking another service to perform some of its work in the
- * authentication context of the client. This terminology comes from
- * the Microsoft S4U protocol documentation.) Return 0 if policy
- * allows it, or an appropriate error (such as KRB5KDC_ERR_POLICY) if
- * not. If this method is not implemented, all S4U2Proxy delegation
- * requests will be rejected. Do not place any data in rep.
+ * Optional: Perform a policy check on server being allowed to obtain
+ * tickets from client to proxy. (Note that proxy is the target of the
+ * delegation, not the delegating service; the term "proxy" is from the
+ * viewpoint of the delegating service asking another service to perform
+ * some of its work in the authentication context of the client. This
+ * terminology comes from the Microsoft S4U protocol documentation.)
+ * Return 0 if policy allows it, or an appropriate error (such as
+ * KRB5KDC_ERR_POLICY) if not. If this method is not implemented, all
+ * S4U2Proxy delegation requests will be rejected.
*/
- krb5_error_code (*invoke)(krb5_context context, unsigned int method,
- const krb5_data *req, krb5_data *rep);
+ krb5_error_code (*check_allowed_to_delegate)(krb5_context context,
+ krb5_const_principal client,
+ const krb5_db_entry *server,
+ krb5_const_principal proxy);
} kdb_vftabl;
#endif /* !defined(_WIN32) */
}
static krb5_error_code
-check_allowed_to_delegate_to(krb5_context context,
- krb5_const_principal client,
+check_allowed_to_delegate_to(krb5_context context, krb5_const_principal client,
const krb5_db_entry *server,
krb5_const_principal proxy)
{
- kdb_check_allowed_to_delegate_req req;
- krb5_data req_data;
- krb5_data rep_data;
- krb5_error_code code;
-
/* Can't get a TGT (otherwise it would be unconstrained delegation) */
- if (krb5_is_tgs_principal(proxy)) {
+ if (krb5_is_tgs_principal(proxy))
return KRB5KDC_ERR_POLICY;
- }
/* Must be in same realm */
- if (!krb5_realm_compare(context, server->princ, proxy)) {
+ if (!krb5_realm_compare(context, server->princ, proxy))
return KRB5KDC_ERR_POLICY;
- }
-
- req.server = server;
- req.proxy = proxy;
- req.client = client;
- req_data.data = (void *)&req;
- req_data.length = sizeof(req);
-
- rep_data.data = NULL;
- rep_data.length = 0;
-
- code = krb5_db_invoke(context,
- KRB5_KDB_METHOD_CHECK_ALLOWED_TO_DELEGATE,
- &req_data,
- &rep_data);
- if (code == KRB5_PLUGIN_OP_NOTSUPP) {
- code = KRB5KDC_ERR_POLICY;
- }
-
- assert(rep_data.length == 0);
-
- return code;
+ return krb5_db_check_allowed_to_delegate(context, client, server, proxy);
}
krb5_error_code
/* OpenSolaris: audit_krb5kdc_tgs_req(...) or
audit_krb5kdc_tgs_req_2ndtktmm(...) */
- /* ... krb5_db_invoke ... */
}
void
}
krb5_error_code
-krb5_db_invoke(krb5_context kcontext,
- unsigned int method,
- const krb5_data *req,
- krb5_data *rep)
+krb5_db_check_allowed_to_delegate(krb5_context kcontext,
+ krb5_const_principal client,
+ const krb5_db_entry *server,
+ krb5_const_principal proxy)
{
- krb5_error_code status = 0;
+ krb5_error_code ret;
kdb_vftabl *v;
- status = get_vftabl(kcontext, &v);
- if (status)
- return status;
- if (v->invoke == NULL)
+ ret = get_vftabl(kcontext, &v);
+ if (ret)
+ return ret;
+ if (v->check_allowed_to_delegate == NULL)
return KRB5_PLUGIN_OP_NOTSUPP;
- return v->invoke(kcontext, method, req, rep);
+ return v->check_allowed_to_delegate(kcontext, client, server, proxy);
}
krb5_db_alloc
krb5_db_free
krb5_db_audit_as_req
+krb5_db_check_allowed_to_delegate
krb5_db_check_policy_as
krb5_db_check_policy_tgs
krb5_db_check_transited_realms
krb5_db_get_mkey_list
krb5_db_get_context
krb5_db_get_principal
-krb5_db_invoke
krb5_db_iterate
krb5_db_lock
krb5_db_put_principal
$(srcdir)/adb_openclose.c \
$(srcdir)/adb_policy.c \
$(srcdir)/kdb_db2.c \
- $(srcdir)/kdb_ext.c \
$(srcdir)/pol_xdr.c \
$(srcdir)/db2_exp.c \
$(srcdir)/lockout.c
adb_openclose.o \
adb_policy.o \
kdb_db2.o \
- kdb_ext.o \
pol_xdr.o \
db2_exp.o \
lockout.o
krb5_timestamp authtime, krb5_error_code error_code),
(kcontext, request, client, server, authtime, error_code));
-WRAP_K (krb5_db2_invoke,
- (krb5_context kcontext,
- unsigned int method,
- const krb5_data *request,
- krb5_data *response),
- (kcontext, method, request, response));
-
static krb5_error_code
hack_init (int dal_version)
{
/* check_policy_as */ wrap_krb5_db2_check_policy_as,
0,
/* audit_as_req */ wrap_krb5_db2_audit_as_req,
- 0,
- /* invoke */ wrap_krb5_db2_invoke
+ 0, 0
};
krb5_db_entry *client, krb5_db_entry *server,
krb5_timestamp authtime, krb5_error_code error_code);
-/* methods */
-krb5_error_code
-krb5_db2_invoke(krb5_context context,
- unsigned int method,
- const krb5_data *req,
- krb5_data *rep);
-
#endif /* KRB5_KDB_DB2_H */
+++ /dev/null
-/* -*- mode: c; c-basic-offset: 4; indent-tabs-mode: nil -*- */
-/*
- * plugins/kdb/db2/kdb_ext.c
- *
- * Copyright (C) 2009 by the Massachusetts Institute of Technology.
- * All rights reserved.
- *
- * Export of this software from the United States of America may
- * require a specific license from the United States Government.
- * It is the responsibility of any person or organization contemplating
- * export to obtain such a license before exporting.
- *
- * WITHIN THAT CONSTRAINT, permission to use, copy, modify, and
- * distribute this software and its documentation for any purpose and
- * without fee is hereby granted, provided that the above copyright
- * notice appear in all copies and that both that copyright notice and
- * this permission notice appear in supporting documentation, and that
- * the name of M.I.T. not be used in advertising or publicity pertaining
- * to distribution of the software without specific, written prior
- * permission. Furthermore if you modify this software you must label
- * your software as modified software and not distribute it in such a
- * fashion that it might be confused with the original M.I.T. software.
- * M.I.T. makes no representations about the suitability of
- * this software for any purpose. It is provided "as is" without express
- * or implied warranty.
- *
- *
- *
- */
-
-#include "k5-int.h"
-#include "kdb.h"
-#include <stdio.h>
-#include <errno.h>
-#include "kdb_db2.h"
-
-krb5_error_code
-krb5_db2_invoke(krb5_context context,
- unsigned int method,
- const krb5_data *req,
- krb5_data *rep)
-{
- return KRB5_PLUGIN_OP_NOTSUPP;
-}
/* check_policy_tgs */ NULL,
/* audit_as_req */ krb5_ldap_audit_as_req,
/* refresh_config */ NULL,
- /* invoke */ krb5_ldap_invoke,
+ /* check_allowed_to_delegate */ krb5_ldap_check_allowed_to_delegate
};
$(srcdir)/princ_xdr.c \
$(srcdir)/ldap_fetch_mkey.c \
$(srcdir)/ldap_service_stash.c \
- $(srcdir)/kdb_ext.c \
$(srcdir)/kdb_xdr.c \
$(srcdir)/ldap_err.c \
$(srcdir)/lockout.c \
princ_xdr.o \
ldap_fetch_mkey.o \
ldap_service_stash.o \
- kdb_ext.o \
kdb_xdr.o \
ldap_err.o \
lockout.o
+++ /dev/null
-/* -*- mode: c; c-basic-offset: 4; indent-tabs-mode: nil -*- */
-/*
- * plugins/kdb/ldap/kdb_ext.c
- *
- * Copyright (C) 2009 by the Massachusetts Institute of Technology.
- * All rights reserved.
- *
- * Export of this software from the United States of America may
- * require a specific license from the United States Government.
- * It is the responsibility of any person or organization contemplating
- * export to obtain such a license before exporting.
- *
- * WITHIN THAT CONSTRAINT, permission to use, copy, modify, and
- * distribute this software and its documentation for any purpose and
- * without fee is hereby granted, provided that the above copyright
- * notice appear in all copies and that both that copyright notice and
- * this permission notice appear in supporting documentation, and that
- * the name of M.I.T. not be used in advertising or publicity pertaining
- * to distribution of the software without specific, written prior
- * permission. Furthermore if you modify this software you must label
- * your software as modified software and not distribute it in such a
- * fashion that it might be confused with the original M.I.T. software.
- * M.I.T. makes no representations about the suitability of
- * this software for any purpose. It is provided "as is" without express
- * or implied warranty.
- *
- *
- *
- */
-
-#include "k5-int.h"
-#include "kdb.h"
-#include <stdio.h>
-#include <errno.h>
-#include "kdb_ldap.h"
-
-static krb5_error_code
-krb5_ldap_check_allowed_to_delegate(krb5_context context,
- unsigned int method,
- const krb5_data *request,
- krb5_data *response)
-{
- const kdb_check_allowed_to_delegate_req *req;
- krb5_error_code code;
- krb5_tl_data *tlp;
-
- req = (const kdb_check_allowed_to_delegate_req *)request->data;
-
- code = KRB5KDC_ERR_POLICY;
-
- for (tlp = req->server->tl_data; tlp != NULL; tlp = tlp->tl_data_next) {
- krb5_principal acl;
-
- if (tlp->tl_data_type != KRB5_TL_CONSTRAINED_DELEGATION_ACL)
- continue;
-
- if (krb5_parse_name(context, (char *)tlp->tl_data_contents, &acl) != 0)
- continue;
-
- if (krb5_principal_compare(context, req->proxy, acl)) {
- code = 0;
- krb5_free_principal(context, acl);
- break;
- }
- krb5_free_principal(context, acl);
- }
-
- return code;
-}
-
-krb5_error_code
-krb5_ldap_invoke(krb5_context context,
- unsigned int method,
- const krb5_data *req,
- krb5_data *rep)
-{
- krb5_error_code code = KRB5_PLUGIN_OP_NOTSUPP;
-
- switch (method) {
- case KRB5_KDB_METHOD_CHECK_ALLOWED_TO_DELEGATE:
- code = krb5_ldap_check_allowed_to_delegate(context, method, req, rep);
- break;
- default:
- break;
- }
-
- return code;
-}
{
(void) krb5_ldap_lockout_audit(kcontext, client, authtime, error_code);
}
+
+krb5_error_code
+krb5_ldap_check_allowed_to_delegate(krb5_context context,
+ krb5_const_principal client,
+ const krb5_db_entry *server,
+ krb5_const_principal proxy)
+{
+ krb5_error_code code;
+ krb5_tl_data *tlp;
+
+ code = KRB5KDC_ERR_POLICY;
+
+ for (tlp = server->tl_data; tlp != NULL; tlp = tlp->tl_data_next) {
+ krb5_principal acl;
+
+ if (tlp->tl_data_type != KRB5_TL_CONSTRAINED_DELEGATION_ACL)
+ continue;
+
+ if (krb5_parse_name(context, (char *)tlp->tl_data_contents, &acl) != 0)
+ continue;
+
+ if (krb5_principal_compare(context, proxy, acl)) {
+ code = 0;
+ krb5_free_principal(context, acl);
+ break;
+ }
+ krb5_free_principal(context, acl);
+ }
+
+ return code;
+}
krb5_db_entry *client, krb5_db_entry *server,
krb5_timestamp authtime, krb5_error_code error_code);
+krb5_error_code
+krb5_ldap_check_allowed_to_delegate(krb5_context context,
+ krb5_const_principal client,
+ const krb5_db_entry *server,
+ krb5_const_principal proxy);
+
/* DAL functions */
krb5_timestamp stamp,
krb5_error_code status);
-/* kdb_ext.c */
-krb5_error_code
-krb5_ldap_invoke(krb5_context context,
- unsigned int method,
- const krb5_data *req,
- krb5_data *rep);
-
#endif
krb5_ldap_get_mkey_list
krb5_ldap_check_policy_as
krb5_ldap_audit_as_req
-krb5_ldap_invoke
+krb5_ldap_check_allowed_to_delegate